W32/Aplore-A

Discussion in 'malware problems & news' started by FanJ, Apr 9, 2002.

Thread Status:
Not open for further replies.
  1. FanJ
    Online

    FanJ Guest

    Name: W32/Aplore-A
    Type: Win32 worm
    Date: 9 April 2002

    At the time of writing Sophos has received just one report of
    this worm from the wild.


    Description:

    W32/Aplore-A is a Win32 worm which uses Microsoft Outlook to
    spread. It copies itself into the Windows system directory as
    explorer.exe and psecure20x-cgi-install6.01.bin.hx.com and adds
    the following value to the registry to run itself on Windows
    startup:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer =
    "<windows system folder>\explorer.exe"

    When run, the worm drops and runs the VBScript email.vbs which
    attempts to send an email with the worm files attached to all
    contacts from the Outlook address book.

    The emails will have the following characteristics:

    Subject line:
    .
    Message body:
    .
    Attached file:
    psecure20x-cgi-install.version6.01.bin.hx.com


    W32/Aplore-A also contains an IRC client and an HTTP server.
    Before the internal web server is started, the worm drops the
    file index.html which acts as a homepage for the server. When
    the server is started, it listens for a connection on port 8180.

    The IRC client attempts to connect to an IRC server and join
    several channels with a nickname randomly chosen from a list of
    female names stored in the worm code. The worm sends messages
    containing a link to the infected machine's web server to the
    IRC channels. The messages sent to the IRC channel contain the
    text "FREE PORN:" and the IP address of the infected machine.

    If a user attempts to connect to the server then the server
    sends the previously dropped index.html.

    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/w32aplorea.html
Thread Status:
Not open for further replies.